Multiple senior Apple executives, speaking with BuzzFeed News on the condition of anonymity so that they could speak freely, all denied and expressed confusion with a report earlier this week that the company’s servers had been compromised by a Chinese intelligence operation.

On Thursday morning, Bloomberg Businessweek published a bombshell investigation. The report — the result of more than a year of reporting and over 100 interviews with intelligence and company sources — alleged that Chinese spies compromised and infiltrated almost 30 US companies, including Apple and Amazon, by embedding a tiny microchip inside company servers.

“We tried to figure out if there was anything, anything, that transpired that’s even remotely close to this. We found nothing.”

According to Bloomberg’s reporting, an attack of this caliber isn’t just elaborate but “the most significant supply chain attack known to have been carried out against American companies.” The security ramifications for the businesses (and consequently millions of Americans) are likely dizzying.

Both Amazon and Apple issued uncharacteristically strong and detailed denials of Bloomberg’s claims.

Reached by BuzzFeed News, multiple Apple sources — three of them very senior executives who work on the security and legal teams — said that they are at a loss as to how to explain the allegations. These people described a massive, granular, and siloed investigation into not just the claims made in the story, but into unrelated incidents that might have inspired them.

“We tried to figure out if there was anything, anything, that transpired that’s even remotely close to this,” a senior Apple security executive told BuzzFeed News. “We found nothing.”

A senior security engineer directly involved in Apple’s internal investigation described it as “endoscopic,” noting they had never seen a chip like the one described in the story, let alone found one. “I don’t know if something like this even exists,” this person said, noting that Apple was not provided with a malicious chip or motherboard to examine. “We were given nothing. No hardware. No chips. No emails.”

Equally puzzling to Apple execs is the assertion that it was party to an FBI investigation — Bloomberg wrote that Apple “reported the incident to the FBI.” A senior Apple legal official told BuzzFeed News the company had not contacted the FBI, nor had it been contacted by the FBI, the CIA, the NSA, or any government agency in regards to the incidents described in the Bloomberg report. This person’s purview and responsibilities are of such a high level that it’s unlikely they would not have been aware of government outreach.

Apple’s broad, categorical denial is essentially unprecedented in its detail. For example, when the Washington Post revealed the government's PRISM program in 2013, Apple, Google, and Facebook all issued very precise denials noting that none had given government agencies “direct access to our servers.” In this case, however, Apple’s statement leaves little room for interpretation or alternate explanations. Apple not only denies the direct claims about its involvement with the FBI, but goes further to deny that “anything like this” happened. It went on to state that “we are not under any kind of gag order or other confidentiality obligations.”

Bloomberg’s defense of its story is equally forceful. On Friday, the publication stood by its reporting. “Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a spokesperson told BuzzFeed News in response to a series of questions. “Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”

The story has clearly rattled Apple, a notoriously private company, and one that has long touted its strong commitment to privacy. Sources say the company’s infosec team is aghast at the allegations. “This did not happen,” a senior Apple security executive told BuzzFeed News. This person insisted, vehemently, that there is no dissembling in the company’s response, that it didn’t secretly remove compromised servers, or discover compromised servers during the acceptance process and stop short of deploying them. “We have literally seen nothing like this.”

"Your iPhone is absolutely not compromised," another senior Apple security engineer told BuzzFeed News. "Nothing is compromised." And, "by the way," this person added, "no servers were removed — not 7,000, not 2,000." Apple, they explained — referencing a 2017 report by The Information — found a lone piece of common malware on a single server in a lab environment. The company determined it was the result of poor system hygiene on the part of server motherboard supplier Super Micro Computer. "We lost confidence in the vendor. We moved on. Plenty of companies do this."

Particularly vexing for Apple, say company sources, is the suggestion it might be lying to the public to protect national security interests. The company has said on record that it is under no gag order, but Congress has on occasion granted retroactive immunity to companies aiding US intelligence efforts. However, a senior Apple legal official who spoke with BuzzFeed News said the company is bound by no confidentiality order or agreement. “We are not restrained in any way,” this executive said. Asked point blank if Apple is lying to the public in the interests of national security, this executive replied, “No.”

For Apple, the investigation into the Bloomberg allegations appears to be over. Multiple sources tell BuzzFeed News that the company believes it’s done everything it can, pulled all the threads, talked to everyone, and examined every corner of its business. It’s reached a what-else-can-we-do impasse.

What happens next isn’t exactly clear. Those with a vested interest — security professionals, government officials, and Amazon and Apple’s millions of customers — are left with questions that are currently unanswerable as Bloomberg and the subjects of its story continue to square off.

John Paczkowski is a technology and business editor for BuzzFeed News and is based in San Francisco.

Share on Twitter
Share on Twitter
Twitter
Share on Facebook
Share on Facebook
Facebook
Share on System
Share on System
System

We value your privacy

We and our partners use technology such as cookies on our site to personalize content and ads, provide social media features, and analyze our traffic. Click below to consent to the use of this technology across the web. You can change your mind and change your consent choices at anytime by returning to this site.

BuzzFeed

Information storage and access

The storage of information, or access to information that is already stored, on your device such as advertising identifiers, device identifiers, cookies, and similar technologies.

Personalisation

The collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as on other websites or apps, over time. Typically, the content of the site or app is used to make inferences about your interests, which inform future selection of advertising and/or content.

Ad selection, delivery, reporting

The collection of information, and combination with previously collected information, to select and deliver advertisements for you, and to measure the delivery and effectiveness of such advertisements. This includes using previously collected information about your interests to select ads, processing data about what advertisements were shown, how often they were shown, when and where they were shown, and whether you took any action related to the advertisement, including for example clicking an ad or making a purchase. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as websites or apps, over time.

Content selection, delivery, reporting

The collection of information, and combination with previously collected information, to select and deliver content for you, and to measure the delivery and effectiveness of such content. This includes using previously collected information about your interests to select content, processing data about what content was shown, how often or how long it was shown, when and where it was shown, and whether the you took any action related to the content, including for example clicking on content. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, such as websites or apps, over time.

Third-party vendors

Information storage and access

The storage of information, or access to information that is already stored, on your device such as advertising identifiers, device identifiers, cookies, and similar technologies.

View CompaniesHide Companies

Company

Lotame Solutions, Inc.

OpenX Software Ltd. and its affiliates

The Rubicon Project, Limited

Index Exchange, Inc.

comScore, Inc.

DoubleVerify Inc.​

LiveRamp, Inc.

Taboola Europe Limited

PubMatic, Inc.

Outbrain UK Ltd

EMX Digital LLC

Nielsen Marketing Cloud

Google (DFP / AdX)

Personalisation

The collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as on other websites or apps, over time. Typically, the content of the site or app is used to make inferences about your interests, which inform future selection of advertising and/or content.

View CompaniesHide Companies

Company

Lotame Solutions, Inc.

OpenX Software Ltd. and its affiliates

LiveRamp, Inc.

Outbrain UK Ltd

EMX Digital LLC

Nielsen Marketing Cloud

Google (DFP / AdX)

Ad selection, delivery, reporting

The collection of information, and combination with previously collected information, to select and deliver advertisements for you, and to measure the delivery and effectiveness of such advertisements. This includes using previously collected information about your interests to select ads, processing data about what advertisements were shown, how often they were shown, when and where they were shown, and whether you took any action related to the advertisement, including for example clicking an ad or making a purchase. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise advertising and/or content for you in other contexts, such as websites or apps, over time.

View CompaniesHide Companies

Company

Lotame Solutions, Inc.

OpenX Software Ltd. and its affiliates

LiveRamp, Inc.

Outbrain UK Ltd

Google (DFP / AdX)

Content selection, delivery, reporting

The collection of information, and combination with previously collected information, to select and deliver content for you, and to measure the delivery and effectiveness of such content. This includes using previously collected information about your interests to select content, processing data about what content was shown, how often or how long it was shown, when and where it was shown, and whether the you took any action related to the content, including for example clicking on content. This does not include personalisation, which is the collection and processing of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, such as websites or apps, over time.

View CompaniesHide Companies

Company

Lotame Solutions, Inc.

LiveRamp, Inc.

Google (DFP / AdX)

Measurement

The collection of information about your use of the content, and combination with previously collected information, used to measure, understand, and report on your usage of the service. This does not include personalisation, the collection of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts, i.e. on other service, such as websites or apps, over time.